Linux 服务器加入Windows AD

背景信息：

Windows AD Version: Windows Server 2012 R2 zh-cn

计算机全名：hlm12r2n1.hlm.com

域：hlm.com

域控管理员：stone

普通用户：abc; bcd

普通组：hlmgroup，用户bcd在该组下

IP：10.0.0.6

Linux服务器：

具有root权限的用户：ltsstone

操作步骤：

安装所需包文件：

yum install -y krb5-workstation realmd sssd samba-common adcli oddjob oddjob-mkhomedir samba samba-common-tools

编辑/etc/resolve.conf文件，将DNS指向DC

[root@hlmcen75n2 ~]# cat /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search lqvi3agp2gsunp1mlkwv0vudne.ax.internal.chinacloudapp.cn
nameserver 10.0.0.6

编辑/etc/hosts文件，添加DC的IP及域的对应关系

[root@hlmcen75n2 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.6 hlm12r2n1.hlm.com

将Linux机器加入域

[root@hlmcen75n2 ~]# realm join hlm12r2n1.hlm.com -U stone
Password for stone: 

发现可以成功发现域了

[root@hlmcen75n2 ~]# realm list
hlm.com
  type: kerberos
  realm-name: HLM.COM
  domain-name: hlm.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@hlm.com
  login-policy: allow-permitted-logins
  permitted-logins:
  permitted-groups: hlmgroup@hlm.com

将组hlmgroup加入域

[root@hlmcen75n2 sudoers.d]# realm permit -g hlmgroup@hlm.com

可以看到用户stone，abc，bcd可以被成功发现

[root@hlmcen75n2 ~]# id stone@hlm.com
uid=(stone) gid=(domain users) groups=(domain users),(group policy creator owners),(domain admins),(schema admins),(denied rodc password replication group),(enterprise admins)

[root@hlmcen75n2 ~]# id abc@hlm.com
uid=(abc) gid=(domain users) groups=(domain users)

[root@hlmcen75n2 ~]# id bcd@hlm.com
uid=(bcd) gid=(domain users) groups=(domain users),(hlmgroup)

为使用户不需用带域名就可以被识别，需要修改配置文件/etc/sssd/sssd.conf，将use_fully_qualified_names行的True值修改为False

[root@hlmcen75n2 ~]# cat /etc/sssd/sssd.conf

[sssd]
domains = hlm.com
config_file_version =
services = nss, pam

[domain/hlm.com]
ad_server = hlm12r2n1.hlm.com
ad_domain = hlm.com
krb5_realm = HLM.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = hlmgroup@hlm.com

重启sssd服务，重新列出预控信息

[root@hlmcen75n2 ~]# systemctl restart sssd
[root@hlmcen75n2 ~]# realm list
hlm.com
  type: kerberos
  realm-name: HLM.COM
  domain-name: hlm.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-permitted-logins
  permitted-logins:
  permitted-groups: hlmgroup@hlm.com

发现不加域信息，Linux服务器也可以识别域用户

[root@hlmcen75n2 ~]# id stone
uid=(stone) gid=(domain users) groups=(domain users),(group policy creator owners),(domain admins),(schema admins),(denied rodc password replication group),(enterprise admins)
[root@hlmcen75n2 ~]# id abc
uid=(abc) gid=(domain users) groups=(domain users)
[root@hlmcen75n2 ~]# id bcd
uid=(bcd) gid=(domain users) groups=(domain users),(hlmgroup)

尝试切换到域用户，发现无法进入root管理员权限，提示

[root@hlmcen75n2 ~]# su - abc
Last login: Mon Sep  :: UTC  on pts/
[abc@hlmcen75n2 ~]$ sudo su - root

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #) Respect the privacy of others.
    #) Think before you type.
    #) With great power comes great responsibility.

[sudo] password for abc:
abc is not in the sudoers file.  This incident will be reported.
[abc@hlmcen75n2 ~]$ 

编辑 /etc/sudoers.d/waagent 文件，将需要root权限的用户加入到其下

[root@hlmcen75n2 ~]# vim /etc/sudoers.d/waagent
[root@hlmcen75n2 ~]# cat /etc/sudoers.d/waagent
ltsstone ALL=(ALL) ALL
abc ALL=(ALL) ALL

重新尝试切换root用户，发现已经可以

[root@hlmcen75n2 ~]# sudo su - abc
Last login: Tue Sep  :: UTC  on pts/
[abc@hlmcen75n2 ~]$ sudo su - root
[sudo] password for abc:
Last login: Tue Sep  :: UTC  on pts/
[root@hlmcen75n2 ~]# 

备注：

执行命令：realm join hlm12r2n1.hlm.com -U stone，messages日志发现加入域的认证过程如下：

Sep  :: hlmcen75n2 realmd: * Resolving: _ldap._tcp.hlm12r2n1.hlm.com
Sep  :: hlmcen75n2 realmd: * Resolving: hlm12r2n1.hlm.com
Sep  :: hlmcen75n2 realmd: * Performing LDAP DSE lookup on: 10.0.0.6
Sep  :: hlmcen75n2 realmd: * Successfully discovered: hlm.com
Sep  :: hlmcen75n2 realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
Sep  :: hlmcen75n2 realmd: * LANG=C /usr/sbin/adcli join --verbose --domain hlm.com --domain-realm HLM.COM --domain-controller 10.0.0.6 --login-type user --login-user stone --stdin-password
Sep  :: hlmcen75n2 realmd: * Using domain name: hlm.com
Sep  :: hlmcen75n2 realmd: * Calculated computer account name from fqdn: HLMCEN75N2
Sep  :: hlmcen75n2 realmd: * Using domain realm: hlm.com
Sep  :: hlmcen75n2 realmd: * Sending netlogon pings to domain controller: cldap://10.0.0.6
Sep  :: hlmcen75n2 realmd: * Received NetLogon info from: hlm12r2n1.hlm.com
Sep  :: hlmcen75n2 realmd: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-zqaVb2/krb5.d/adcli-krb5-conf-N3Soi1
Sep  :: hlmcen75n2 realmd: * Authenticated as user: stone@HLM.COM
Sep  :: hlmcen75n2 realmd: * Looked up short domain name: HLM
Sep  :: hlmcen75n2 realmd: * Using fully qualified name: hlmcen75n2
Sep  :: hlmcen75n2 realmd: * Using domain name: hlm.com
Sep  :: hlmcen75n2 realmd: * Using computer account name: HLMCEN75N2
Sep  :: hlmcen75n2 realmd: * Using domain realm: hlm.com
Sep  :: hlmcen75n2 realmd: * Calculated computer account name from fqdn: HLMCEN75N2
Sep  :: hlmcen75n2 realmd: * Generated  character computer password
Sep  :: hlmcen75n2 realmd: * Using keytab: FILE:/etc/krb5.keytab
Sep  :: hlmcen75n2 realmd: * Found computer account for HLMCEN75N2$ at: CN=HLMCEN75N2,CN=Computers,DC=hlm,DC=com
Sep  :: hlmcen75n2 realmd: * Sending netlogon pings to domain controller: cldap://10.0.0.6
Sep  :: hlmcen75n2 realmd: * Received NetLogon info from: hlm12r2n1.hlm.com
Sep  :: hlmcen75n2 realmd: * Set computer password
Sep  :: hlmcen75n2 realmd: * Retrieved kvno '' for computer account in directory: CN=HLMCEN75N2,CN=Computers,DC=hlm,DC=com
Sep  :: hlmcen75n2 realmd: * Modifying computer account: userAccountControl
Sep  :: hlmcen75n2 realmd: * Modifying computer account: operatingSystemVersion, operatingSystemServicePack
Sep  :: hlmcen75n2 realmd: * Modifying computer account: userPrincipalName
Sep  :: hlmcen75n2 realmd: ! Couldn't set service principals on computer account CN=HLMCEN75N2,CN=Computers,DC=hlm,DC=com: 00002083: AtrErr: DSID-03151337, #1:
Sep  :: hlmcen75n2 realmd: #: : DSID-, problem  (ATT_OR_VALUE_EXISTS), data , Att  (servicePrincipalName)
Sep  :: hlmcen75n2 realmd:
Sep  :: hlmcen75n2 realmd: * Discovered which keytab salt to use
Sep  :: hlmcen75n2 realmd: * Added the entries to the keytab: HLMCEN75N2$@HLM.COM: FILE:/etc/krb5.keytab
Sep  :: hlmcen75n2 realmd: * Added the entries to the keytab: host/HLMCEN75N2@HLM.COM: FILE:/etc/krb5.keytab
Sep  :: hlmcen75n2 realmd: * Added the entries to the keytab: host/hlmcen75n2@HLM.COM: FILE:/etc/krb5.keytab
Sep  :: hlmcen75n2 realmd: * Added the entries to the keytab: RestrictedKrbHost/HLMCEN75N2@HLM.COM: FILE:/etc/krb5.keytab
Sep  :: hlmcen75n2 realmd: * Added the entries to the keytab: RestrictedKrbHost/hlmcen75n2@HLM.COM: FILE:/etc/krb5.keytab
Sep  :: hlmcen75n2 realmd: * /usr/bin/systemctl enable sssd.service
Sep  :: hlmcen75n2 realmd: Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
Sep  :: hlmcen75n2 systemd: Reloading.
Sep  :: hlmcen75n2 realmd: * /usr/bin/systemctl restart sssd.service
Sep  :: hlmcen75n2 systemd: Starting System Security Services Daemon...
Sep  :: hlmcen75n2 sssd: Starting up
Sep  :: hlmcen75n2 sssd[be[hlm.com]]: Starting up
Sep  :: hlmcen75n2 sssd[nss]: Starting up
Sep  :: hlmcen75n2 sssd[pam]: Starting up
Sep  :: hlmcen75n2 systemd: Started System Security Services Daemon.
Sep  :: hlmcen75n2 realmd: * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Sep  :: hlmcen75n2 systemd: Reloading.
Sep  :: hlmcen75n2 systemd: Reloading.
Sep  :: hlmcen75n2 realmd: * Successfully enrolled machine in realm

执行命令：realm list列出域的相关信息，messages日志发现相应的记录信息如下：

Sep  :: hlmcen75n2 dbus[]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service'
Sep  :: hlmcen75n2 systemd: Starting Realm and Domain Configuration...
Sep  :: hlmcen75n2 dbus[]: [system] Successfully activated service 'org.freedesktop.realmd'
Sep  :: hlmcen75n2 systemd: Started Realm and Domain Configuration.

执行命令：realm leave hlm.com，messages日志发现脱域的相关记录如下：

Sep  :: hlmcen75n2 python: // ::39.018384 INFO Event: name=WALinuxAgent, op=HeartBeat, message=, duration=
Sep  :: hlmcen75n2 realmd: * Removing entries from keytab for realm
Sep  :: hlmcen75n2 realmd: * /usr/sbin/sss_cache --users --groups --netgroups --services --autofs-maps
Sep  :: hlmcen75n2 realmd: * Removing domain configuration from sssd.conf
Sep  :: hlmcen75n2 realmd: * /usr/sbin/authconfig --update --disablesssdauth --nostart
Sep  :: hlmcen75n2 systemd: Reloading.
Sep  :: hlmcen75n2 realmd: * /usr/bin/systemctl disable sssd.service
Sep  :: hlmcen75n2 realmd: Removed symlink /etc/systemd/system/multi-user.target.wants/sssd.service.
Sep  :: hlmcen75n2 systemd: Reloading.
Sep  :: hlmcen75n2 realmd: * /usr/bin/systemctl stop sssd.service
Sep  :: hlmcen75n2 systemd: Stopping System Security Services Daemon...
Sep  :: hlmcen75n2 sssd[nss]: Shutting down
Sep  :: hlmcen75n2 sssd[be[hlm.com]]: Shutting down
Sep  :: hlmcen75n2 sssd[pam]: Shutting down
Sep  :: hlmcen75n2 systemd: Stopped System Security Services Daemon.
Sep  :: hlmcen75n2 realmd: * Successfully unenrolled machine from realm

在测试时，发现加域的命令为 "realm join hlm.com -U stone" 时，可以成功加入域，但无法设别DC下的用户，需要在域名前加上DC的主机名，正确加域的命令为 "realm join hlm12r2n1.hlm.com -U stone"